CVE-2026-50637

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names...

CVE-2026-53437

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

GHSA-37M5-M4Q3-FC6X Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

CVE-2026-33412 Vim affected by Command injection via newline in glob()

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob function on Unix-like systems. By including a newline character \n in a pattern passed to glob, an attacker may be able to execute arbitrary shell commands. This...

CVE-2026-33412

Vim is affected by CVE-2026-33412: command injection via a newline in glob() when untrusted input is passed into glob(), affecting Vim versions before 9.2.0202. The vulnerability can be triggered by Vimscript plugins inserting untrusted user input into glob(), posing a significant risk. Mitigatio...

SUSE CVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob function on Unix-like systems. By including a newline character \n in a pattern passed to glob, an attacker may be able to execute arbitrary shell commands. This...

BIT-CEPH-2020-10753

A flaw was found in the Red Hat Ceph Storage RadosGW Ceph Object Gateway. The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the...

CVE-2026-29085 Hono: SSE Control Field Injection via CR/LF in writeSSE()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE in Streaming Helper, the event, id, and retry fields were not validated for carriage return \r or newline \n characters. Because the SSE protocol uses line breaks as...

PT-2026-23076

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.4 Description Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists where the event, id, and retry fields within the streamSSE function in the Streaming Helper were not properly...

EUVD-2020-20506

Malware in sbrugna...

EUVD-2014-2248

Malware in sbrugna...

EUVD-2020-27729

Malware in sbrugna...

EUVD-2023-1500

Malicious code in bioql PyPI...

EUVD-2021-27510

Malicious code in bioql PyPI...

EUVD-2025-16338

Malicious code in bioql PyPI...

netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions

A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline LF characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same...

PT-2025-22989

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 139 Firefox ESR versions prior to 115.24 Firefox ESR versions prior to 128.11 Description The issue is due to insufficient escaping of the newline character in the "Copy as cURL" feature. An attacker could trick a use...

CVE-2020-28015

Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character...

CVE-2018-20583

Cross-site scripting XSS vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML even if allowunsafelinks is false via a newline character e.g., writing javascript as javascri%0apt...

GHSA-86C2-4X57-WC8G Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials

Description The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format key=value. Git's documentation restricts the use of the NUL \0 character and newlines to form part of the keys^1 or values. When Git reads from...